A company that manufactures medical equipment is soliciting bids to hire someone to conduct a security audit and develop policy to enhance their Computer and Network security. You are charged with writing a proposal so your company can bid on and hopefully win the contract to conduct the security audit. This paper should again be written as a proposal to win the contract to conduct the security audit. The proposal should contain specific details of Computer and Network security issues, what you propose to audit as well as your thoughts/philosophies about how the different pieces of the IT environment of a medical equipment company should be setup.
Assignment details
Company background
This company manufactures medical testing equipment such as X-Ray, MRI and CAT scan machines. They also manufacture lab testing equipment which is used to determine the status of patient samples.
The company has offices across the United States with main offices in New York City and San Francisco as well as branch offices in Chicago and Seattle.
Here is what each office does:
NYC – Headquarters, Finance & Marketing, IT
San Francisco – Manufacturing, IT
Chicago – Client support
Seattle – All back office functions, i.e. accounting, HR, etc…
The New York City and San Francisco offices have data centers
As they manufacture medical equipment the company frequently interacts with Hospitals, Doctors, Insurance companies and City, State and Federal governmental agencies.
Being in the medical field they are very concerned about Computer and Network security. As a result they are soliciting proposals from vendors to come in and perform a top-to-bottom IT security audit as well as to develop and provide policy around computer and network security.
Assignment detail
You are to write a proposal to be submitted to the Medical company to win the contract to conduct a top-to-bottom IT security audit of the organization along with recommendations for improving their situation.
Your proposal should include the following information:
1) Cover page
2) Introduction
– What is the purpose of the proposal? Why are you submitting it?
– What is the background of your company? How long have you been in business? What kind of IT professionals are on your staff? Are any of them certified IT security personnel? If so what certifications do they hold and how many employees like them do you have?
– What is your philosophy/Why do you feel that conducting an IT security audit is important?
3) Explanation of the challenges facing computer and network security along with what you will audit – What are some of the Computer and Network security challenges facing an organization, If hired what specifically will you audit and what Computer and Network security recommendations do you feel are important? (Please be sure to mention the most important topics that we covered in this course).
The below represents the bulk of this assignment and is broken down into categories such as Physical Security, Network Security, Access Control, etc. Each category is broken down further into (2) sections, section 1 and section 2. In general you should use section 1 to speak about the Computer and Network security risks facing that particular category. You should use section 2 to speak about your recommendations for combating the computer and network security challenges you speak about in section 1.
Here are the categories and suggestions for both sections of each category.
a) Physical security –
Section 1 – What are the important things to look for in terms of Physical security? What Physical security items will you be looking to audit? What are some things to be concerned about in terms of how Physical security can be attacked and/or be the source of a security breach? In what areas relating to physical security will you will look at and what will you specifically look for in terms of the physical security of the company? What about access to sensitive areas of the various buildings? Operating hours, employee and guest access, etc… What are some ways that physical security can be conduits for security breaches?
Section 2 -What are some Physical security items/technologies/policies you might suggest be implemented to prevent possible physical security breaches?
Here are some suggested Physical security Items to consider
Physical building/Office suite and Data Center/IT closet access
Normal and after hours as well as guest access
Physical security technologies & Policies.
Placement of physical security technology
b) Network design –
Section 1 – What are the important things to look for in terms of Wired, Wireless (WIFI) and telephone network security and design? What are some things to be concerned about in terms of how the Network can be attacked and/or be the source of a security breach? What specific network zones will you look for and what equipment/services/applications will you look to see that are and are not in each network zone? What tools, if any, will you use to determine the state of the network? What will you look for in terms of how the company WIFI and telephone networks are setup? How about access to the administrative consoles of network devices? What about Intrusion detection and prevention? How about providing remote access to users?
Section 2 -What are some Network security items/technologies/policies you might suggest be implemented to harden the network and the devices that compose a network? What are some of your thoughts on how the computer network (both wired, wireless (WIFI) and telephony) of a medical company should be setup? What can be done to harden the wired and wireless networks? Can VLANs be of assistance with securing a wired, wireless and/or voice network? What is your philosophy on how the administrative consoles of network devices should be secured and accessed? Do you have any recommendations in terms of firewall types/classes and/or IPS/IDS devices that should be used (please do not recommend any specific vendors). What about technologies to provide remote access?
c) Access control, Identity management, Authentication – Please note that in this section you should speak about Access control and Identity management into applications, workstations and systems, not physical security
Section 1- What will you look for in terms of Access control and Identity management? What are some things to be concerned about in terms of how Access control can be attacked/compromised and/or be the source of a security breach? What are some methods of proving an identity to an authentication server? What will you look for in terms of account naming conventions, password management and general account management policies? What is “single-sign on and what are it’s benefits/deficiencies? What are some access control best practices? What is Windows Active Directory and how can it along with groups help with Access control/Identitymanagement/Authentication? What is RADIUS and TACACS and do they play a role here? How about policies such as privilege of least access and job separation fit into this topic?
Section 2-What are some Access control models/technologies/policies you might suggest be implemented to harden Access control in general and on Windows and Linux Hosts in particular? What are some methods/technologies to authenticate? What do you feel account naming/password policies should be? Do you recommend implementing an SSO/Authentication system? If so which one(s) and why? Which access control best practices do you recommend implementing and why? Do you recommend implementing RADIUS and/or TACACS and if so where and why? What about multi-factor authentication, things that you are, things that you have, things that you know? What role do MS Active Directory groups play in this space?
d) Host security –
Section 1 – What are the important things to look for in terms of Host Security? What Host Security items will you be looking to audit? What are some things to be concerned about in terms of how Host Security can be attacked/compromised and/or be the source of a security breach? Be sure to cover servers in general along with file servers as well. What you will look for in terms of how servers are maintained (managed) and secured? What will you do about securing administrative access to their consoles? What will you look for in terms of file system security? What is Malware and what are the risks it poses? Is there anything to be concerned about in terms of embedded system or “The Internet of Things (IOT)”?
Section 2 -What are your “best practice”, models/technologies/policies recommendations on hardening, Windows, Linux and File servers? What is your philosophy on securing server consoles? Do you recommend taking a look at any specific technologies to assist with securing sensitive files/file systems? What are your recommendations for protecting the organization from Malware? What if anything can be done in terms of securing embedded systems or “Internet of Things (IOT)” devices?
e) Securing data –
Section 1 – What are the important things to look for in terms of Securing Data? What items related to Securing Data will you be looking to audit? What are some things to be concerned about in terms of how Data can be attacked/compromised and/or be the source of a security breach? Be sure to speak about protecting data that is being stored on servers, workstations, mobile devices, removable media along with things to be concerned about securely transmitting data
Section 2 – What are some models/technologies/policies you might suggest be implemented in order to Secure Data?
Here are some suggested Items to consider when Securing Data:
Cryptography and Cryptographic attacks
File encryption
Public key infrastructure
Hashing
Data transmission
Data loss prevention
Backup and restore
f) Application security –
Section 1 – What are the important things to look for in terms of Applications and Application Security? What Application Security items will you be looking to audit? What are some things to be concerned about in terms of how Applications can be attacked/compromised and/or be the source of a security breach? Applications to consider here include web browsers, email systems/clients, as well as commercial and “home-grown (company-developed)” applications. Be sure to speak about some ways web browsers and email clients can provide conduits into the network/systems for security breaches/attacks. What are some things to worry about in terms of peer-to-peer software, instant messaging (IM) and Cloud services?
Section 2 – What are some Application and Application Security models/technologies/policies you might suggest be implemented to harden Applications and Application Security? What are some things that can be done to “harden” web browsers, email systems and applications? What can be done to protect against security issues related to using peer-to-peer and instant messaging applications?
Here are some suggested Applications and Application Security Items to consider:
Web application attacks
Internet browsers
App development and Deployment
Cloud services
g) Policies, procedures and Ongoing Assessment –
Section 1 – What are the important things to look for in terms of Policies and Procedures? What Policies and Procedures will you be looking to see are present and/or audit? What role can Policies and Procedures play in securing an organization? Why is it important to continually review (Ongoing assessment) the security posture of an organization? (Think about all of the policies we covered in this course). What about logging? Will you look to see in regards to logging? What about conducting audits? Should they be done? If so how, why and how often? What will you look for in terms of IT Security incident management?
Section 2 – What are some suggested Policies and Procedures you feel can help secure an organization? What are some tools that can be used to continually monitor an organization? What should be done in the event of a security incident?
Here are some suggested Policy and Procedure Items to consider:
Manageable network plan
Social engineering
Employee management
Incident response
Vulnerability assessments
Penetration testing
Log management
Audits
4) Expectations – What can the client expect that you need from them to conduct the audit and what can they expect to receive from your company if you were to win this bid?
How long do you expect the audit to take?
Which, if any, employees of the company will you need access to in order to conduct the audit?
What, if any, IT infrastructure you will need access to and what you will need from this infrastructure?
What, if any, documents/policies you will you need to see?
If awarded the bid, what, exactly, will you deliver to the company?
GROUND RULES FOR THIS ASSIGNMENT
Spelling, grammar and “readability” counts
Must upload an MS Word or .PDF document
Document must include a cover page and be of sufficient length to present a thorough proposal but please complete the assignment using no more than (20) pages (feel free to use fewer than (20) pages)).
Please be sure to include content which addresses each of the sections listed above
Suggested proposal format is as follows:
Cover page
Introductory section
Physical security section
Network security section
Access control section
Host security section
Securing data section
Application security section
Policies and Procedures section
Expectations section